[Product Changes] New the RAM role assumed by Container Intelligence Service for enhanced permission control
Before October 30, 2023, Container Intelligence Service used the AliyunCSDefaultRole. To enhance default security, starting October 30, 2023, Container Intelligence Service will use a dedicated, more restricted RAM service role to access user resources, including all ACK clusters.
Impacts
When you activate Container Service for Kubernetes or create an ACK cluster on or after October 30, 2023, the AliyunCISDefaultRole policy is granted by default.
-
For ACK clusters created before October 30, 2023, you are prompted to grant authorization when you use Container Intelligence Service features such as cluster inspections and cluster diagnostics.
-
For new ACK clusters created on or after October 30, 2023, you are prompted to grant authorization during cluster creation.
Assign the AliyunCISDefaultRole role to ACK
The default RAM role assumed by Container Intelligence Service is changed from AliyunCSDefaultRole to AliyunCISDefaultRole because the permissions provided by AliyunCSDefaultRole are reduced. After the change is applied, the system prompts you to assign the AliyunCISDefaultRole role to ACK when you create clusters in the ACK console or perform operations in the Container Intelligence Service console.
-
Log on with your Alibaba Cloud account or a RAM user that has the AliyunRAMFullAccess or AdministratorAccess policy. Click Go to RAM console.
NoteIf you call API operations to create clusters or use Container Intelligence Service, click Authorization to complete authorization.
The system indicates that Container Intelligence Service requires a default RAM role for its service account.
-
At the bottom of the authorization page, click Agree to Authorization.
References
For more information about the permissions provided by the AliyunCISDefaultRole role, see Authorization.
The authorization page shows that CS requests permission to access your cloud resources. The system automatically creates the role AliyunCISDefaultRole.
Log on to the Container Intelligence Service console again. You can then perform cluster diagnostics and inspections.